what is the difference between a PUP and malware?

I’ve googled it, no good. all I got was malware includes all threats and a PUP only includes adware and spyware (as far as I know, spyware is a type of malware)

Read a bit further and just get "one is legal as it’s asks for your permission in an EULA which no one reads, and the other is not, as it doesn’t ask for permission.

It just leaves me with more questions then answers. Such as:

Could a keyloger be considered as a PUP?

What is the difference between PUP spyware and “malware” spyware?

so once again, question not answered.

please help clarify.